So, I may be coming around on this legitimate interest thing. This is from Marketo's policy... Privacy Notice » Marketo Documents Our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the specific context in which we collect it. We will collect and use your Personal Data where the processing is in our legitimate business interests, such as for direct marketing and sales of Marketo’s Marketing Automation Platform and Applications to prospective Business-to-Business (B2B) customers. Our legal basis for processing Personal Data in certain circumstances will also be based on your consent to do so or where we need the Personal Data to perform a contract with you or in order to enter into a contract with you. In some cases, we may also have a legal obligation to collect Personal Data from you. So basically, the way I am reading the law, is that there are multiple categories that allow for personal data to be collected. Consent is one, legitimate interest is another. Under LI, it is worded to say LI for US or LI for them. Under "How do they collect information" they also state "Information From Other Sources: In order to enhance our ability to provide relevant marketing, offers, and services to you, we obtain information about you from other sources, such as public databases, joint marketing partners, social media platforms, as well as from other third parties." So that could mean for example, an email address from a prospect's public website in the public domain. Here is a statement from Salesloft "Let’s start by taking a look at how GDPR will affect prospecting. The regulation doesn’t directly call out cold calling and cold email, but it does require you to have a legal basis to process data. Two common legal bases for processing are consent of the data subject, which is your prospect, and legitimate interest of the controller, which is you." The law states that so long as the person could likely expect you to process their data, then it's OK. So most people are in fact reading this as "fit for business". I'm reading/thinking that the regulatory body is more about getting people to think better, spam less, make marketing more personalised and more targeted. It's not trying to stop people marketing all together without consent. The "rights of the individual" under legitimate interests are ambiguous and I believe designed to protect people such as children etc. "legitimate interest balanced against the fundamental rights of data subjects" Now, this data provider of mine is still bad because they are not stating that they are reselling people's data in their Privacy policy, where as Marketo's states the following: How Will Marketo Share Personal Data It Receives? Third-Party Business Partners: Marketo partners with a variety of businesses and works closely with them to market or sell products or services. In certain situations, these businesses operate within the Sites. We may disclose Personal Data to our partners for the purposes described above. Some of our third-party business partners co-sponsor events and other offerings with Marketo. We may share Personal Data with these co-sponsors when you sign up for events or offerings to allow our partners to send you marketing communications and information that may be of interest to you, as permitted under applicable law. Maybe I am wrong after all. I mean Sanford's comment above was in response to them selling the data to me and not stating so in their policy. But Forget that provider breaking the law for a second. If we procure a record of a person and stand by that our legitimate interest is that we believe they are a decision maker and thus should reasonably expect us to target them as a prospective B2B customer, providing the means to opt out and making our privacy policy clear in those communications, and that this does not infringe on their fundamental rights, then I think we're OK. There are some very large companies taking this stance and select few that are going "consent only" for EU, some going consent only for all. Maybe, until there is precedent of punishment for a targeted b2b email, then we should not limit ourselves?
... View more